Patching Ivanti Sentry Closes the Door. It Doesn't Evict the Guest.

If your Ivanti Sentry appliance was internet-exposed and unpatched in the days after the June 10 proof-of-concept dropped, patching it now does not make you safe. It makes you safer against the next attacker. It does nothing about the one who may already be inside. The vendor advisory says patch. The evidence says patch, then investigate, and assume compromise until forensics tells you otherwise.

That gap between the advisory and the evidence is the whole story here, so let’s be precise about both.

CVE-2026-10520 is a CVSS 10.0 OS command injection in Sentry’s MICS API. The endpoint, POST /mics/api/v2/sentry/mics-config/handleMessage, was left unauthenticated and network-reachable. Send it an XML <commandexec> block and the payload routes through Java reflection into CommonUtilities.executeNativeCommand() with no sanitization. Sentry runs its Java application server as root, so the injected command runs as root. watchTowr demonstrated it in a single unauthenticated POST. One request, no credentials, full root.

CVE-2026-10523 is the companion. CVSS 9.9, an authentication bypass that lets an unauthenticated attacker create arbitrary admin accounts on the management plane. These are two separate paths to the same place. The first gives you root at the OS layer. The second gives you persistent admin control at the application layer, which matters more than it sounds: an admin account created through 10523 is a backdoor that survives a patch if your cleanup only looked at OS-level indicators. You can rebuild the box and miss the account.

Here is why that account, on that box, is worth this much attention. Sentry, formerly MobileIron Sentry, is an MDM gateway. It proxies ActiveSync email between mobile devices and Exchange, tunnels per-app traffic to internal resources, and runs as a Kerberos KDC proxy for SSO. It lives in the DMZ by design, publicly routable, one hop from your email servers and your internal apps. Root on Sentry means access to the decrypted email and credential traffic it proxies, the ability to impersonate managed devices, and a foothold at the network position Sentry already occupies. It is a policy enforcement point for an entire mobile workforce. Owning it is not a lateral move you have to work for. It is the prize.

Now the timeline, because the timeline is the argument. Ivanti shipped patches on June 9, saying it was unaware of any customer exploitation. watchTowr published a full technical writeup and a working proof-of-concept on June 10. Ivanti later acknowledged that the KEV listing was triggered in part by reports of attempted exploitation against honeypots. The next day, June 11, the Shadowserver Foundation counted 19 internet-exposed Sentry instances still running vulnerable versions, and at least 2 were already backdoored. Their guidance was blunt: if you have not patched now, you are most likely compromised. That same day, CISA added CVE-2026-10520 to the Known Exploited Vulnerabilities catalog citing active exploitation, and set a federal remediation deadline of June 14. That deadline has passed.

Two of nineteen sounds small until you read how the count was bounded. Shadowserver only sees instances that did not blocklist its scanning IPs. An attacker who has root and wants to stay quiet blocks the scanner. So 2 is a floor, not an estimate, and it is a floor measured by someone the attacker has every reason to hide from.

What got installed as the backdoor has not been disclosed. The persistence mechanism is unknown. That is the uncomfortable part, and it is the operationally relevant part: nobody has publicly confirmed whether the post-compromise artifacts survive a Sentry upgrade. You are patching a box without knowing whether the thing you are worried about is even in scope of the patch.

We have seen this shape before. In May 2023, Barracuda patched a critical ESG vulnerability, and 17 days later told affected customers to physically replace the appliance regardless of patch status, because the patch closed the hole but did not remove the attacker. No “replace, don’t patch” directive has been issued for Sentry. I am not predicting one. But the operational logic does not wait for a vendor to say it out loud. For any instance exposed during the window, the patch prevents the next compromise. It does not address the last one.

This is the part where it would be easy to write off as one bad month for one vendor. It isn’t. Ivanti CEO Jeff Abbott published a secure-by-design pledge in April 2024, after Emergency Directive ED 24-01 forced federal agencies to disconnect or remediate Connect Secure appliances. CISA’s director endorsed the letter. Since then, CyberScoop’s April 2025 tally put Ivanti at 16 exploited vulnerabilities since 2024, more than any other network edge vendor. EPMM took critical zero-days in January 2026. watchTowr titled one of its Ivanti writeups “Do Secure-By-Design Pledges Come With Stickers?” Sentry 10520 fits the mold exactly: unauthenticated, remotely reachable, critical, exploited within days. A single bug is an accident. This many, this consistently, after a signed pledge, is a procurement signal.

So here is the realistic posture, and it has two halves because the situation has two halves.

Patch first. R10.5.2, R10.6.2, or R10.7.1, all maintain-in-place upgrades with no major version jump. Treat it as out-of-band. Do not wait for a maintenance window; the window already closed on June 10.

Then investigate, and weight this half harder than you want to. Pull HTTP access logs and look for POST requests to /mics/api/v2/sentry/mics-config/handleMessage returning 200, especially with XML bodies containing <commandexec>. Audit for administrator accounts you did not create, the direct fingerprint of 10523. Look for unexpected processes, cron jobs, and outbound connections you can’t explain. Rotate credentials for every Exchange account and backend service whose traffic transited Sentry, because root on the proxy means root on the traffic. watchTowr published a detection artifact generator on GitHub if you need to confirm vulnerability status.

The patch tells you the door is locked now. It tells you nothing about who you locked in. For any Sentry that sat exposed and unpatched after that June 10 proof-of-concept, “patched” is not a status. It is a starting point for the investigation you actually have to run.